Ashish Ariga wrote:
NAT is only necessary if you want to allow computers behind the internet gateway to (for the most part) be able to use the internet as if they each had their own public ip address. The general NAT rules you would use are to re-write the source ip and port of internet traffic comming from the internal network to appear to be coming from the gateway machine. It remembers the associations it has made so that when the computer across the internet responds, it can send the reply to the right ip and port in the internal network.On Thu, 2003-09-18 at 18:00, Adrian Berardi wrote:Hi, i'm a new debian user, and without too much experience in linux. I'm trying to install a Debian here at home to use it as internet access for a couple windows PCs. Someone told me that i had to install first the two eth, then configure the networkcards, then install dhcp3 (for the PCs to get a dinamic ip), and then do NAT (iptables) Everything worked OK, but it is not the case of the NAT: i can access internet from de debian, but i dont know how to configure or what to install for access internet from the windows PCs through the Debian. Any comment will be kindly accepted.! Best regards, Adrian AdrianIs NAT necessary ? How about using Squid ? (Does it do NAT internally ?) (Sorry, if this sounds stupid, but I'd really like to know.)
Squid will act as a proxy for some internet traffic, mostly http. If you only want to allow your computers behind the gateway to access the web via the proxy, and configure each browser to use that proxy, then Squid alone is enough for you.
Proxy differs from NAT on some important points. Without some ip packet manipulation, the existance of the proxy server is apparent to all involved parties. Usually you install the proxy server to provide some performance through caching of web content and optionally to filter based on not just ip address but on actual content. NAT on the other hand is mostly invisible to the client and the server across the internet.
Using some tricks of iptables or ipchains you can make your clients think they are not using a web proxy, but redirect the packets through Squid anyway. This is a 'transparent proxy' setup, and you need to tell Squid it's functioning in this mode.
One more NAT trick of iptables is to map a port on your gateway machine to an internal machine's ip address and port. That way you can have your mail, web, or even proxy (Squid) server not on the internet gateway machine.
You can also create 'firewall' rules using iptables or even better install a firewalling package and let it manipulate the iptables rules for your firewall.
These options aren't exclusive to iptables, but my wording is geared towards how iptables is worded and I recommend it over ipchains.
Hopefully that clarifies NAT vs Proxy (Squid) in your mind. For a more in-depth (and correct) look, read up on iptables and Squid at their sites and then how to use them (like at www.tldp.org).
-- Jacob